1

Hello members of StackExchange,

I am running a Debian 8.0 server with Full-Disk-Encryption and while I was doing some hardening I went through the /etc/fstab and I was wondering if some partitions were really necessary to be mounted automatically.

After some research I found out that apparently it is not necessary to auto-mount the /boot partition since it is being read otherwise and I would not want some program potentially writing in this rather critical area.

But since my filesystem is encrypted, I am not sure if that is still the case and if in general that answer was correct.

I would be happy if someone could give me an answer on that.

Thanks in advance!

Community
  • 1
comfreak
  • 1,451
  • 1
  • 21
  • 32

1 Answers1

3

The /boot partition, while not strictly need for system startup, is an important one and should be mounted. Let me do two simple examples of when it is needed:

1) Kernel recompile: you will find that your boot partition hosts some files called config-*. These files describe the kernel configuration, and are re-read when issuing make menuconfig (and similar) when recompiling your kernel. While it is true that this is not the only method to store kernel configuration, it surely is one of the most used/common.

2) Upgrades: when you upgrade your distro, the packet manager will eventually download a new kernel and install it under /boot. If /boot is not mounted, these boot files will be placed in the wrong filesystem and Grub will not recognize them.

In the end, while you surely can have a running system without /boot, this is not a good idea. At least, you should always mount it when needed - if you know that.

shodanshok
  • 44,038
  • 6
  • 98
  • 162
  • So, would it be an option if I auto-mount it read-only instead and temporarily re-mount it in read-write mode whenever I am doing an update/upgrade? – comfreak Jun 11 '15 at 19:56
  • Yes, but you had to **remember** to mount it each time it is necessary. As a side note, how do you know **when** is it necessary? While updates are obviously, are you 100% sure that no other processes need write access to /boot partition? – shodanshok Jun 11 '15 at 20:27
  • I have been running a server with `/boot` in read-only for a while and everything seems running fine, but I see your point. Is there a different way of making sure no process is manipulating this partition (from a security standpoint)? – comfreak Jun 11 '15 at 20:46
  • A first option is to make all files world-readable but only root-writable. Another option is to use SELINUX to protect the /boot mount point from unwanted writes. – shodanshok Jun 11 '15 at 21:56
  • It actually seems like `/boot` is by default only root-writable. I will check into the second option you mentioned at one point as well. Thanks! – comfreak Jun 12 '15 at 07:21